Monday, March 30, 2015

Current login mechanisms suffer from missing support by browsers and sites.
Browsers offer in-browser password storage but that's about that.
Standardized authentication methods like HTTP Digest Authentication and HTTP Basic Authentication were never really accepted by commercially successful sites. They work but the user experience is bad especially if the user does not have an account yet.

So most sites are left with form-based authentication were the site has full control over the UI and UX. Sadly the browser has little to offer here to help the site or the user other then trying to identify signup and login forms through crude guesses based on password field existence.

There is no standardized way for sites and browsers to work together.
Here is a list of attempts to solve some of the above issues:

Federations have their drawbacks too. Even Facebook login went dark for 4h a while ago which left sites depending on Facebook without user login.

In general there is this chicken-egg problem:
Why should sites support new-mechanism-foo when there is no browser support.
Why should browsers support new-mechanism-foo when there are no sites using it.

Then there are password stores. I use passwordsafe to store my password in one place. If I do not have access to that place (PC) then I can't login. Bummer.
Others use stores hosted on the Internet and those usually support most browsers and OSses through plugin/addons and non standard trickery.
I never could convince myself to trust the providers.

So. Drum-roll.
I started to work on a mechanism that has a password store on the mobile which allows you to login on your PC using your PC's camera.

Here is an example qrcode containing the credentials as a JSON array["axel@nennker.de","password"]:

The qrcode could be printed on paper or generated by your password store on your mobile. To help the user with the selection of the matching credentials the addon presents a request-qrcode to be read by the mobile first. This way the mobile ID-client can select the matching credentials.
(If you don't like to install addons to test this and for a super quick demo of the qrcode reading using your webcam please to to http://axel.nennker.de/gum.html and scan a code)

What are the benefits?

no need to change the site's javascript, html markup or https headers. No changes whatsoever needed on the accepting site.

no need to have an extra backend server to store your credentials.

no need to have an extra backend server to help mobile and browser to communicate.

no need for an enhanced browser or client. no need for the browser to know about new markup, new javascript APIs or HTTP headers.

What are the drawbacks?

reading the qrcode from the mobile's screen very much depends on the light and camera. Printed credentials work reliably but qrcode on mobile screens sometime give me headaches.

You have to install the addon.

This is an alpha version. Your mileage may vary.

Screenshots:

Login page at githup with addon installed:

Screen after pressing the addon's toolbar icon. The qrcode helps the mobile ID-client to find the matching credentials:

Screen showing the camera picture which is scanned for qrcodes:

This is clearly only a first step but I believe that it has potential to be a true user-centric solution that helps me and you to handle the password mess.

Yes, Fennec can talk to the Authenticator and ask for a "weblogin:" token for "com.google" but the Authenticator answers differently depending on who asks.
If Chrome is asking then the returned token redirects you to https://accounts.google.com/ and immediately logs you in, but when you'r Fennec then you are just redirected to https://accounts.google.com/ and have to enter username and password. Bummer.

Anyway: How about using this scheme for Mozilla services and using a Mozilla account on the device or local to the browser (Firefox Sync) if available.

get redirected to
https://accounts.firefox.com/ServiceLogin?service=bugzilla&passive=true&rm=false&continue=https://bugzilla.mozilla.org/show_bug.cgi?id=1030650
&ss=1&scc=1&ltmpl=bugzilla&emr=1

the response includes an x-auto-login HTTP header in the response

Firefox sees the x-auto-login header and- on desktop look for Firefox Sync account
use it to obtain a token from a token endpoint hosted at mozilla.org- on Android ask the AccountManager for a weblogin token for "org.mozilla".

redirect to the token (the token is an URL). In this case e.g. https://accounts.firefox.com/?t=accesstokenb64&...